Gigabit link monitoring
vern at ee.lbl.gov
Tue Jul 25 00:30:12 PDT 2000
> Bro uses libpcap packet capture library... the library uses
> different ways to capture packets on various OS platforms...
> If I'm not mistaken, for fast networks it's better to use
> BSD derived operating systems (OpenBSD, FreeBSD...) because
> they use BPF packet filtering mechanism that is part of operating
> system... and as far as I know BPF provides the best performance...
> however, I'm sure that even BPF's performance would not be enough
> for gigabits network... Unless BPF+ replaced the original BPF
> implementation, there's no way bro can sustain gigabits speed.
What's crucial is the make-up of the traffic: how much is there, how much
of it matches the filter, and what sort of analysis has to be performed
for the captured traffic.
We currently have several Bro's monitoring GigEther links. They don't
usually have trouble keeping up, and this is running on old hardware.
However, even LBL's access link is nowhere close to saturated. (Bro on
that hardware could not keep up with a significantly higher traffic flow.
We have newer hardware coming in, though, which I'm betting can.) The one
trick we use is large kernel BPF buffers, and making sure that libpcap
doesn't limit the buffer size. This wasn't that important for 100 Mbps,
but is crucial for Gbps.
More information about the Bro